ADVISORIES

• OSVDB-95749
• Vendor Advisory

GEM

activeresource

PATCHED VERSIONS

• >= 2.2.0

DESCRIPTION

activeresource contains a format string flaw in the request function of lib/active_resource/connection.rb. The issue is triggered as format string specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input when passed via the ‘result.code’ and ‘result.message’ variables. This may allow a remote attacker to cause a denial of service or potentially execute arbitrary code.

RELATED

• https://my.diffend.io/gems/activeresource/versions/2.1.0
• https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERESOURCE-20004
• http://osvdb.org/show/osvdb/95749